A little hungry… and an empty bank account… It is, among other things, through the Polish version of a fake site of a meal delivery application that a , is no stranger. This is Ermac in a revisited version. This virus was one of those that plagued the Play Store at the end of last year.comes to seize the bank details of his victims. The malware detected by the cybersecurity company
This new version is introduced on mobile from the moment you click on a malicious link. As in our example, it could be the imitation of the Polish version of Bolt Foot, a fast food chain, for example. But, in all cases, the vector that allows the victim to click on the link is an email frommalicious publications on or spoofed advertising.
The objective is to have the application downloaded directly to the mobile so that it can escape Play’s security systems.. When the app is downloaded, it will ask for permissions allowing it to access full control of the . Then the application will look for the with which users are accustomed to making payments directly.
Android 11 and 12 strengthen protection
It even attacks many banking applications from around the world. It keeps 467 of them in memory, of which it knows how to clone the interface, that’s almost a hundred more applications than at the beginning of the year. Then, to loot the bank account, the victim just needs to use one of these applications. Instead of entering identifiers on the application, it is on acloned that we are going to enter his sesames and his bank details.
In addition to many popular applications, the Trojan is also capable of stealing cryptocurrency wallets. Ermac is on theand acquiring it now costs $5,000 for a hacker. It’s $2,000 more than its first version, which means it’s worth the investment for hackers. But there is still a catch in this well-oiled mechanism, because with versions 11 and 12 of Android, the integrated comes to prevent an accessibility setting essential for the deception to work.
Android: watch out for these apps that steal your bank details
For four months, twelve Android applications had thwarted the protections of the Play Store. They made it possible to collect personal data including banking information. They were very difficult to detect. Google removed them.
Article by Sylvain Biget, published on
They are twelve in number and took time to be discovered by cybersecurity researchers from . This is a bundle of apps from the for Android spoofed. They passed through the security systems. Downloaded more than 300,000 times for four months, they contained banking Trojan horses that came to siphon users and the d’ .
The strikes atwere also noted and the malware also took advantage of this to take . Apps that seem virtuous, like a scanner or for or management of contained up to four families of . The researchers had a hard time detecting the harmful load of these applications and it is precisely thanks to this weak signature that they passed under the radars of Google’s automatic detection systems. It should be noted that it was after the installation of the application that the payloads were repatriated in the form of updates from sources other than the Play Store.
Updates to install malware
The creators of this malware are clever since, in order not to attract attention, the installation of the malicious code was not systematic and they only targeted certain geographical areas. Likewise, the applications had all theto be legitimate and had positive opinions. They functioned normally and normally performed the task for which they had been designed. the bank with the most operations Anatsa’s name. The other three are called Alien, and Ermac. All were inoculated via a module called Gymdrop. By not systematically looking for the payload, it was he who made it possible not to attract the attention of the security systems.
While last week, nine millionhave been contaminated by an application present on the AppGallery of malware detection is still one of the main concerns in especially at Google. Over the past ten years, many infected applications have found their way into the Play Store. They are removed immediately upon being detected; but, as this example shows, despite advanced protection systems, hackers are always one step ahead to fool them.